SYMBOLCOMMON_NAMEaka. SYNONYMS
win.trochilus_rat (Back to overview)

Trochilus RAT

Actor(s): APT31, Stone Panda

There is no description at this point.

References
2020-06-24Counter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:62b58ff, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Targets Supply Chains}}, date = {2020-06-24}, url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains}, language = {English}, urldate = {2020-06-26} } BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31
2020-06-03Trend MicroDaniel Lunghi
@techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66a45ac, author = {SecureWorks}, title = {{BRONZE VINEWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood}, language = {English}, urldate = {2020-05-23} } BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31
2019-02-06Recorded FutureInsikt Group, Rapid7
@techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Trochilus RAT APT31 Hurricane Panda Stone Panda
2017-11-03Github (5loyd)5loyd
@online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } Trochilus
Trochilus RAT
2017-04PricewaterhouseCoopersPricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
2015-08Arbor NetworksASERT Team
@online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27
Yara Rules
[TLP:WHITE] win_trochilus_rat_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_trochilus_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8f9e010000 ff75f4 8d8e98000000 e8???????? 8bf8 3bfb 0f8476010000 }
            // n = 7, score = 100
            //   0f8f9e010000         | jg                  0x1a4
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   8d8e98000000         | lea                 ecx, [esi + 0x98]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   3bfb                 | cmp                 edi, ebx
            //   0f8476010000         | je                  0x17c

        $sequence_1 = { 8bec 56 8b7508 8b4e14 83f908 7204 8b16 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   83f908               | cmp                 ecx, 8
            //   7204                 | jb                  6
            //   8b16                 | mov                 edx, dword ptr [esi]

        $sequence_2 = { e8???????? 85c0 7513 68???????? 6a02 6a36 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7513                 | jne                 0x15
            //   68????????           |                     
            //   6a02                 | push                2
            //   6a36                 | push                0x36

        $sequence_3 = { e8???????? 8b450c 0fb74032 ffb600010100 50 e8???????? 6a00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0fb74032             | movzx               eax, word ptr [eax + 0x32]
            //   ffb600010100         | push                dword ptr [esi + 0x10100]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_4 = { ff7714 ff7710 ffb300010100 e8???????? 8d4324 eb20 8b471c }
            // n = 7, score = 100
            //   ff7714               | push                dword ptr [edi + 0x14]
            //   ff7710               | push                dword ptr [edi + 0x10]
            //   ffb300010100         | push                dword ptr [ebx + 0x10100]
            //   e8????????           |                     
            //   8d4324               | lea                 eax, [ebx + 0x24]
            //   eb20                 | jmp                 0x22
            //   8b471c               | mov                 eax, dword ptr [edi + 0x1c]

        $sequence_5 = { 89b5b0fbffff 898db4fbffff 89b5c0fbffff 899dbcfbffff 899db8fbffff 7202 }
            // n = 6, score = 100
            //   89b5b0fbffff         | mov                 dword ptr [ebp - 0x450], esi
            //   898db4fbffff         | mov                 dword ptr [ebp - 0x44c], ecx
            //   89b5c0fbffff         | mov                 dword ptr [ebp - 0x440], esi
            //   899dbcfbffff         | mov                 dword ptr [ebp - 0x444], ebx
            //   899db8fbffff         | mov                 dword ptr [ebp - 0x448], ebx
            //   7202                 | jb                  4

        $sequence_6 = { 8b5d0c 56 57 8d7df4 bebc1d0110 e8???????? }
            // n = 6, score = 100
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d7df4               | lea                 edi, [ebp - 0xc]
            //   bebc1d0110           | mov                 esi, 0x10011dbc
            //   e8????????           |                     

        $sequence_7 = { 50 ff7510 8b4508 ff750c e8???????? 83c40c 85c0 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

        $sequence_8 = { 33db 391f 7e1d 8b4704 8b4c0304 68a01e0110 e8???????? }
            // n = 7, score = 100
            //   33db                 | xor                 ebx, ebx
            //   391f                 | cmp                 dword ptr [edi], ebx
            //   7e1d                 | jle                 0x1f
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   8b4c0304             | mov                 ecx, dword ptr [ebx + eax + 4]
            //   68a01e0110           | push                0x10011ea0
            //   e8????????           |                     

        $sequence_9 = { a1???????? c705????????90897e00 8935???????? a3???????? ff15???????? a3???????? }
            // n = 6, score = 100
            //   a1????????           |                     
            //   c705????????90897e00     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules